With the Product Security and Telecommunications Infrastructure (PSTI) Bill, the UK takes on the issue of cybersecurity of IoT devices. We asked product compliance expert Marlon Schrimpf what this means for manufacturers and importers in the UK market.
testxchange: Marlon, we are very happy that you could join us for this interview. Could you please introduce yourself to our readers?
Marlon Schrimpf: Yes, I'm Marlon, Schrimpf. I'm the founder of Novelty Compliance. I'm consulting small and medium-sized enterprises when it comes to the buildup of sustainable product compliance structures. I also consult these companies with regards to product safety, ecodesign regulations, and the cybersecurity of IoT devices. In the past, I worked in Brussels, Belgium, as a product compliance manager for a large Japanese company. After that, I moved to the Black Forest in Germany and was responsible for global certifications and approvals of electronic products of a sanitary fittings manufacturer.
testxchange: In your current position, you also have earned experience with the UK market in particular, which brings us to one of the core topics of today’s interview. The UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill. Can you enlighten us a bit about what this bill is about and why was it passed?
Marlon Schrimpf: The background is easy to explain: the British are very sensible to cybersecurity issues and threats that are coming from this area. And the number of IoT devices is exploding - anything that you think of can be connected to the Internet today. In the last five years, a lot of issues popped up, so people were becoming more and more concerned with cybersecurity. These issues were threats by local hackers or foreign institutions and governments that endangered both the privacy and the integrity of the users and IT systems. The increased awareness and bad experiences led to the development of this new law and the introduction of a new kind of risk that will need to be assessed during the initial product compliance assessment from now on. It's similar to the risks that have been assessed in the past - like the risks from electrical power, the risk of electromagnetic effects or hazardous substances. Also, the overall structure of this law is very similar to what we know from the Low Voltage Directive and from the Radio Equipment Directive. As such, the market actors in the supply chain have to do similar things to what they already have done for the other legal requirements of the new legislative framework: They have to assess the risks and they have to prevent the risks from becoming a danger. If they are aware of a vulnerability they have to close it and they have to inform the users about potential dangers. And of course, all this has to be part of the technical documentation. However, there is one addition: the United Kingdom plans to establish a so-called statement of compliance. So you will actually have to provide a piece of paper that says “This product in front of you is safe according to the PSTI law.” We don’t know yet, what it should contain in detail, because there will be an additional implementing regulation for this that will be published hopefully soon.
testxchange: In the case that something does go wrong with an IoT product and a security breach is discovered, what would be the consequences in the UK?
Marlon Schrimpf: It is very similar to what we already have in place today. Authorities will, in case they approach you and you have not been aware of the breach already, ask you to have an assessment of this security breach, they will also ask you to close the vulnerability. If you would not or if you could not comply with what they're asking, they will likely penalize you. Depending on the severity of the case, this could lead to recalls, harsh financial penalties and public communication on the security risk in your products. Compliance in such cases will be especially difficult to importers and distributors that are not in direct contact with the manufacturers, because it will be difficult for them to react and to have the vulnerabilities fixed, even though they are liable.
testxchange: Are you already observing reactions from companies about the new bill?
Marlon Schrimpf: In general, larger companies have been aware of the importance of cybersecurity of their products for many years. Nevertheless many companies did not take action, so, in many cases, products were like open doors for criminals. So the new bill will finally push many to look into the security of their products, maybe also into the architecture behind, because the server to which the products may connect might pose some risks too. This will also mean that companies will have to look into the escalation processes for this topic. They might have to establish a way to patch the firmware that is installed on the products and they should think about establishing a way to inform customers about certain vulnerabilities in their products, to prevent a recall.
On the other hand, dealing with these topics is not only relevant for the UK, but also for the EU, where an amendment of the Radio Equipment Directive was published in 2022 that will enforce similar requirements for continental Europe too.
testxchange: When you look at this year’s new UK legislation and compare it to the current EU regulations on the topic, is your impression that it's drifting apart already considerably or are the UK rules still very similar to what the EU has in place?
Marlon Schrimpf: Both regulations are rather vague in what you have to do as a manufacturer. So both simply tell you to ensure the integrity of the IoT device that you are going to place on the markets. Except for the United Kingdom statement of compliance it is open how to deal with the requirements. And as such, the big question is how to prove that your product is safe. For the moment, there is only the ETSI EN 303 645 standard that was published in 2021. It basically establishes the security by design principles, making sure that from the first idea of your product, you design the product in a way that is fundamentally free of possible security breaches and that establishes some robustness in the overall maintenance processes. Unfortunately, this standard has not yet been harmonized and I think that it won't be in the future within the EU. So, you ask a lab to have a product tested according to the standard, but you would not get the typical safety test report that you might know from your past safety evaluation. It would be a rather loose assessment by an independent lab, where we don’t know yet, if this is sufficient or not. Nevertheless, I would recommend to everyone to have a look into that standard and at least check that the software, the firmware on your products and also the architecture around your products are at least fulfilling the basic security safeguards in this ETSI standard. If you would not have looked into the cybersecurity of your devices at all, the ETSI standard is a good starting point too, as it is written in a way, so that ordinary persons may understand what is needed to ensure a minimum level of security.
testxchange: It is good to know that there is at least one standard in place to rely on.
Marlon Schrimpf: Yes indeed, but there are some other national standards too, that might be worth having a look. In the USA for example, the NISTIR 8259 standard is focusing on the management processes in a company. It explains how escalations and the principles that you should establish in your company should look, to support cybersecurity in IoT products. So if you would have the feeling that improvements in your organization are necessary, this standard might be worth a read.
testxchange: Summing up, when it comes to the PSTI bill: Are there recommendations that you would give to companies to prepare for?
Marlon Schrimpf: If you're an importer or a dealer, start asking the manufacturer or the distributor to provide or to start looking into providing the statement of compliance. Also, think about how you would act in case an authority would approach you after having found a vulnerability in a product. And for all the manufacturers I would recommend, besides the obvious risk assessment actions and the creation of the statement of compliance, to look into how to implement patches for radio modules, or proprietary systems like Android, that are running on your IoT devices. In general I would recommend to start looking into the topic of cybersecurity as soon as possible, because it might be a bigger challenge than you think in the beginning. It is not only about changing your products, it's about changing the development, maintenance and management of your products. As such a lot of departments in your company and potentially also suppliers have to be involved, to find efficient solutions for your current and future product line-up.
In the second part of the interview, testxchange will ask Marlon about the current situation with the UKCA marking. Read on!